Law Enforcement Manuals and Guidelines

The U.S. Department of Justice (DOJ) and the National Institute for Justice (NIJ) have promulgated a number of policy manuals for law enforcement with guidelines on how to search, seize, examine, and admit electronic evidence in criminal prosecutions. These manuals offer a roadmap of the kinds of arguments and case law on which the government is likely to rely in conducting a digital device search.

The DOJ’s Computer Crimes and Intellectual Property Section (CCIPS) published a Manual for Searching and Seizing Computers and Obtaining Evidence in Criminal Investigations. The 2009 manual even showcases template search warrant affidavit language that you can cite to in order to argue that the boilerplate language isn’t sufficiently particularized to your client. (See Appendix F at p.241).

Below are additional links to other law enforcement guides that detail procedures for how to collect or admit digital evidence:

National Institute for Justice Special Report: Forensic Examination of Digital Evidence: A Guide for Law Enforcement (1994). The report guides law enforcement agents on how to properly handle and secure digital evidence during criminal investigations, along with suggestions on proper policies and procedures that law enforcement agencies can adopt. Shortlink: https://eff.org/DOJNIJ1994

National Institute for Justice Special Report: Electronic Crime Scene Investigation: A Guide for First Responders (1994). This report guides law enforce­ment and other first responders who may be responsible for preserving an electronic crime scene and for recognizing, col­lecting, and safeguarding digital evidence. Shortlink: https://eff.org/DOJNIJ1st

DOJ Computer Crimes and Intellectual Property Section (CCIPS): Manual for Searching and Seizing Computers and Obtaining Evidence in Criminal Investigations (2009). This manual serves as a guide for federal prosecutors in cases involving the search and seizure of electronic devices. Shortlink: https://eff.org/ccips2009

DOJ: Obtaining and Admitting Electronic Evidence (2011). Shortlink: https://eff.org/DOJOAEE

California Department of Justice Training Guidelines for obtaining Digital Device Search Warrants under the California Electronic Communications Privacy Act (CalECPA). Shortlink: https:/eff.org/CADOJCalECPATraining

Law Enforcement Techniques for Searches and Data Extraction

There are different techniques for obtaining forensic images depending on the nature of the target device, the forensic tools used to access it, and whether or how security features on a target device limit the ability to access its internal data. For example, some forensic extraction methods may make an exact copy of all data on the target device, which may include some deleted data, like portions of deleted files or records pertaining to previously installed mobile applications. Other methods may copy only currently existing files (thereby excluding certain deleted data).

These extraction programs have the capacity to collect both metadata and content, such as texts, call logs, emails, photos, browsing history, account login information and passwords, location information, medical history, dating profiles, etc.—basically anything and everything that is recorded by the device. This can include technical information that is not normally displayed to the device’s user, for instance, activity logs, some location records, or technical details about networks to which the device was connected.

Forensic tools provide ever-more-capable search and summarization features to reconstruct user activity, visualize a user’s whereabouts over time, map apparent relationships and connections between individuals, recover deleted data, match files’ contents against contraband lists, and perform searches for keywords.

Sometimes, security measures on a device can limit the ability to perform some kinds of forensic extraction without the cooperation of the device owner. This situation may lead law enforcement to attempt to bypass security measures (such as a password), sometimes with help from a contractor or other government agency, or to try to induce or compel the user to help unlock a seized device.

There are many companies that make forensic search tools. A few examples of data extraction programs commonly used by law enforcement include:

  1. Cellebrite - https://www.cellebrite.com/
    1. This article provides an illustration of what a Cellebrite extraction report looks like: http://www.zdnet.com/article/israeli-firm-cellebrite-grab-phone-data-seconds/
    2. You can also watch a slideshow to learn about one of Cellebrite’s data extraction tools
  2. Securview - https://www.secureview.us/secure_view.html
  3. Oxygen - https://www.oxygen-forensic.com/
  4. FTK imager - https://accessdata.com/products-services/forensic-toolkit-ftk
  5. Encase - https://www.guidancesoftware.com/encase-forensic
    1. Article on Encase vulnerabilities: https://www.securityweek.com/forensics-tool-flaw-allows-hackers-manipulate-evidence
  6. MSAB XRY - https://www.msab.com/products/xry/
  7. E-Fense Helix3 - https://www.e-fense.com/h3-enterprise.php
  8. Magnet Axiom - https://www.magnetforensics.com/magnet-axiom/